real world defense strategies for targeted endpoint threats
TRANSCRIPT
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Real World Defense Strategies
- for -
Targeted Endpoint Threats
2PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Agenda
• Advanced Persistent Threats (APTs)• Targeted Threats Trends• Targeted Threats Framework• Defense in Depth• Q & A
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION3
Advanced Persistent Threats
Real? Or vender hype?What’s your perspective …
»Something new?
»Merely marketing hype?
»Limited to large companies?
»All about China?
»APT = Malware?
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION4
Targeted Threat Concerns
Ponemon Research: 2013 State of the Endpoint
ISACA Research: Advanced Persistent Threats Are Real» 93.6% feel APTs are a serious threat» 63% think it is only a matter of time» 79% feel this is the largest gap in APT prevention» 1 in 5 have experienced an APT attack
47%36%
36%24%24%
22%23%
13%
Figure 4: IT security risks of most concern since 2010More than three choice permitted in 2010 and 3 choices permitted in 2011 and 2012
Increased use of mobile platforms
Advanced persistent threats
Intrusion and data loss within a virtual environment
2012 2011 2010 * This choice was not available in all fiscal years
*
Targeted Threat Trends
Targeted Attacks by Organization Size
6PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Source: Symantec
50%In 2012
31%In 2012
5%3%2%
93%
External Actors Responsible for Majority of Attacks
7PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Source: Verizon 2013 databreach
Healthcare – Most frequent data breaches
8PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Targeted Threats - Top 10 Industries Attacked in 2012
9PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Source: Symantec
Threat Environment – Threat Trends
• User endpoints are consistently targeted» 71% of attacks targeted user devices – Source Verizon
Common APT Characteristics
11
• Highly targeted and endpoint-focused• Uses both sophisticated and low-tech techniques
» Delivery: USB keys, social engineering, watering hole, etc.» Zero-day vs. “known” vulnerabilities» Fraudulent certificates
• Centralized Command and Control• Undetected for prolonged periods
» Exfiltration masking» “Hiding in plain sight”
11PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Targeted ThreatFramework
13PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Targeted Threat Framework
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Discover
14
» Identify the Target
» Plan for Penetration
» Probe the Perimeter
Essentially “casing the joint”
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Distribute
15
» Package the Payload
» Deliver the Payload
Design and develop not only the payload but delivery vehicle
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Exploit
16
» Trigger the Payload
» Exploit the Vulnerability
Activation may not be immediate, and may involve multiple vulnerabilities
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Control
17
» Install Malware on System
» Connect Back to Attacker
» Command & Control
Often involves encrypted communications channel and manual interaction
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Execute
18
» Upset the CIA Triad • Confidentiality
• Integrity
• Availability
» Obfuscate and Extend
Taking action against planned objectives
19PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Targeted Threat Framework
Phase Detect Deny Disrupt
Discover Web analytics Firewall ACL
Distribute Vigilant end user Web filteringSpearfish detection
AV
Exploit Vigilant end user White listingMemory protectionPatch Management
Sandboxing
Control Next gen FWNIPS
FW ACLNIDS
DNS
Execute SIEMAudit Logs
Defense-in-Depth
PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Defense-in-Depth Strategy
21
Successful risk mitigation starts with a solid vulnerability management foundation, augmented by additional layered defenses which include:
» Configuration Control
» Application Whitelisting
» Memory Protection
» Data Encryption
» Port / Device Control
» Antivirus
Patch and Configuration Management
Application ControlMemory Protection
DeviceControl
AV
Hard Drive andMedia Encryption
Endpoint Defense-in-Depth
22PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
Con
figur
atio
n M
anag
emen
t
Pat
ch M
anag
emen
t
Ant
i-Mal
war
e
Por
t /
Dev
ice
Con
trol
DataEncryption
Network Access Physical Access
Additional Information
23PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
• For End User Education» “Be Aware of What You Share” at
www.lumension.com/be-aware
• For Security Pros (www.lumension.com/Resources)» Whitepaper “The State of APT Preparedness” from UBM
Tech at ~/WhitePapers/The-State-of-APT-Preparedness» On-Demand Webcast “Top 9 Mistakes of APT Victims” by
Ultimate Windows Security at ~/Webcasts/Top-9-Mistakes-of-APT-Victims
• More on APT issues and solutions in Optimal Security blog at blog.lumension.com/tag/advanced-persistent-threat/
Q & A
Global Headquarters8660 East Hartford Drive
Suite 300
Scottsdale, AZ 85255
1.888.725.7828
http://blog.lumension.com